DO NOT REPLY [Bug 44864] New: optionalNoCA not honored

Wed, 23 Apr 2008 09:40:23 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=44864

           Summary: optionalNoCA not honored
           Product: Tomcat 6
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Native:JK
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


Even when SSLVerifyClient="optionalNoCA" is specified in the connector, invalid
client certificates still lead to invalid SSL handshakes.

This is because SSL_get_verify_result(con->ssl) in sslnetwork.c still returns
!= X509_V_OK even though SSL_callback_SSL_verify() returns ok in these cases.
There is an extra check in openssl itself which is returning the error.

The way this is dealt on mod_ssl in apache (ssl_engine_io.c) is: 

    if ((verify_result != X509_V_OK) ||
        sslconn->verify_error)
    {
        if (ssl_verify_error_is_optional(verify_result) &&
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
        {
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:
             * "level optional_no_ca is actually against the idea
             *  of authentication (but can be used to establish
             * SSL test pages, etc.)"
             * optional_no_ca doesn't appear to work as advertised
             * in 1.x
             */
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" "
                          "configuration");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
        }
        else {
            const char *error = sslconn->verify_error ?
                sslconn->verify_error :
                X509_verify_cert_error_string(verify_result);

            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                         "SSL client authentication failed: %s",
                         error ? error : "unknown");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);

            return ssl_filter_io_shutdown(filter_ctx, c, 1);
        }
    }

Even though verify_result is not OK, if optional_no_ca is specified, the
request should be valid.

The release notes specify that bugs in this code should be filed under
"Native:JNI" component but I could find it in the pull-down.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to